The 10 Sacred Clauses of ISO 27001

The heart of ISO 27001 lies in its 10 clauses. Clauses 1-3 are introductory, while Clauses 4-10 contain the actual requirements you must implement.

Clause Structure Overview

Clause 4: Context of the Organization

This clause asks: "Who are you, and what's your security environment?"

4.1 Understanding the Organization

• Internal factors (culture, structure, capabilities)
• External factors (legal, market, technological)

4.2 Understanding Stakeholder Needs

• Who cares about your security?
• What do they expect?
• Customers, regulators, employees, partners

4.3 Determining the Scope

• What's included in your ISMS?
• What's excluded (and why)?
• Boundaries and applicability

4.4 The ISMS Itself

• Establish, implement, maintain, improve
• The continuous cycle

Clause 5: Leadership

Security starts at the top. This clause ensures management is actively involved.

5.1 Leadership and Commitment

• Demonstrable support from top management
• Integration with business processes
• Resources provided

5.2 Policy

• Information security policy established
• Appropriate to the organization
• Communicated throughout

5.3 Roles and Responsibilities

• Clear assignments of duties
• Authority defined
• Accountability established

Clause 6: Planning

This is where risk management lives—the core of ISO 27001.

6.1 Actions to Address Risks and Opportunities

• Risk assessment process
• Risk treatment process
• Statement of Applicability (SoA)

6.2 Information Security Objectives

• Measurable goals
• Aligned with policy
• Communicated and updated

6.3 Planning of Changes

• Systematic approach to changes
• Impact assessment
• Resource planning

Clause 7: Support

You can't have security without resources.

7.1 Resources

• What's needed to maintain the ISMS?
• Budget, people, technology

7.2 Competence

• Skills required
• Training and development
• Evidence of competence

7.3 Awareness

• Everyone knows the policy
• Their contribution matters
• Consequences of non-conformance

7.4 Communication

• What to communicate
• When and to whom
• How to communicate

7.5 Documented Information

• Required documentation
• Creation and updating
• Control of documents

Clause 8: Operation

Now we execute the plans.

8.1 Operational Planning and Control

• Implement risk treatment plans
• Control processes
• Outsourced processes managed

8.2 Information Security Risk Assessment

• Perform at planned intervals
• When significant changes occur
• Retain results

8.3 Information Security Risk Treatment

• Implement the treatment plan
• Retain results

Clause 9: Performance Evaluation

You can't improve what you don't measure.

9.1 Monitoring, Measurement, Analysis, Evaluation

• What to monitor?
• Methods used
• When and who

9.2 Internal Audit

• Planned audit program
• Objective and impartial
• Results reported to management

9.3 Management Review

• Regular reviews by top management
• Specific inputs required
• Decisions and actions documented

Clause 10: Improvement

The ISMS is never "done"—it evolves.

10.1 Continual Improvement

• Suitability, adequacy, effectiveness
• Ongoing enhancement

10.2 Nonconformity and Corrective Action

• React to problems
• Investigate root causes
• Implement corrections
• Review effectiveness

The PDCA Cycle

These clauses follow the Plan-Do-Check-Act cycle:

• Plan (Clauses 4-6): Understand context, establish objectives, plan actions
• Do (Clause 7-8): Support and operate the ISMS
• Check (Clause 9): Monitor and review performance
• Act (Clause 10): Improve and correct

Next Lesson: Explore all 93 controls in Annex A.